id's not used in x days

I'm trying to see if this time, my request makes more
sense as last time I think I might have been unclear.
I'm working with auditors and managers to try and
create a report of users who have not logged into an
AIX box in the last X number of days. Has anyone done
this type of report before or know if there's a
built-in lsuser option for this? Thanks in advance.

Popular White Paper On This Topic

I have a set of shell scripts that I think will do what you want. All are based on the output of a perl script that scans the /etc/lastlog file and gererates a delimited work file with the date and time in readable format.

If they are close, you can modify them instead of reinventing the wheel.

I keep them in a sub directory in /etc/security called loginrpts.
Send me your email and I'll tar it and send to you as an attacnment

My understanding is that the time_last_login obtains its data from /
etc/security/lastlog.

And I am not aware that an ssh/scp/sftp connection updates /etc/
security/lastlog. It might under a newer version than I am running,
but I tested this and lastlog is not updated with an ssh connection.

But my initial point is the same: you need to determine ALL methods
of accessing an account, and then review each audit log file for
those methods.

For example, if "su" is the only possible method to access an
account, the /etc/security/lastlog file will not indicate that. It is
not updated upon login. Using lsuser -a time_last_login would give
inaccurate information.

Unless someone can guarantee that all login access times is trapped
in lastlog, I would not rely on solely that file for audit purposes.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.